Lenovo must pay $7.3M USD for installing adware on thousands of laptops

The company faced a collective demand in which it was stated that users’ privacy had been compromised

Lenovo, thought to be a reliable technology and computer equipment manufacturing company, hogged the attention of the cybersecurity community in 2015, thanks to several digital forensics specialists who announced that 750k laptops manufactured by the company had preinstalled in its system an adware called VisualDiscovery, developed by the company Superfish.

According to experts in digital forensics from the International Institute of Cyber Security, this adware played a fundamental role in compromising the security measures of online use of the machines where it was installed, accessing financial information from the user and making variants of the attack known as Man-in-the-Middle in private connections, thanks to which an attacker could have gained access to the machine system to spy on the users’ encrypted communications.

The United States District Court of the Northern District of California granted the initial approval of the agreement on November 21, four months after Lenovo and the consumers filed before the tribunal to end the action against spyware installed on the laptops.

After the collective lawsuit, Lenovo reached an agreement to pay $7.3M USD to customers who found adware preinstalled on their devices, jeopardizing their privacy.

During the time that this practice was made public, Lenovo dedicated itself to deny the accusations, as well as claimed to be unaware that some third party had exploited some of its applications. In addition, the company claims that since 2015 had stopped selling Superfish software with its equipment.

“While Lenovo has never been in agreement with the allegations contained in the collective lawsuit, the company is glad to finally close this case which has taken more than two years of legal proceedings. To date Lenovo is not aware of a single case in which a third party has been able to exploit a vulnerability to gain access to user communications,” the company statement mentions.

Back in 2015, Robert Graham, a specialist in digital forensics, analyzed Superfish software, later recounting his findings:

“Superfish software can be considered malicious in many ways. It is designed to intercept any type of encrypted connection. However, it does so in a very poor way, leaving the system exposed to the NSA-style intelligence agencies or malicious hackers, who could spy on users’ private banking operations,” Graham said.

In 2017, Lenovo agreed with the Federal Trade Commission, Connecticut and 31 other states to pay $3.5M USD due to a similar controversy. The company was also committed to changing the way it sells its equipment. In addition, in a besides agreement, the company paid $3.5M USD to the State authorities.